The to be used tarball often has md5 sum or other hash on project
downloadpage, why not introduce a hashfield for every source in the spec
that needs to match the hashsum of the tarball, so a reviewer only needs
to verify the hashsums in the .spec files match the ones from project
download page, then the ball about malicous code is upstream =)

With FreeBSD we have been doing this for ages, including MD5 and SHA
hashes as well as the file size as part of the equivalent of spec there.

It's been working pretty well, so I recommend we do this for openSUSE,
too.

Well, the only way to be doing this effectively is to make it mandatory.

(we could make this "recommended" for one cycle, and then mandatory, I
guess)

If we enforce this to be mandatory there will be quite an outcry, because
we did not do this before and it actually causes even more work.

Sure, it'll be painful. But if it's worth it for security, then we could
do some experimentation with volunteers to see if this is something they
can handle.